With a Resolution of January 3, 2023, published in the Official Gazette No. 7 of January 10, 2023, the Agency for National Cybersecurity ("ACN") has identified the taxonomy of incidents involving assets other than ICT assets identified by the standards constituting the national security perimeter, which are also subject to mandatory notification to the Agency.
The Resolution is the result of the implementation of Article 3-bis of the so-called Perimeter Decree (Law-decree No. 105 of Sept. 21, 2019 converted with amendments by Law No. 133 of Nov. 18, 2019), by which the ACN was given the task of establishing the taxonomy of security incidents.
Following the entry into force of the Resolution, entities included in the national security perimeter will also have to notify ACN of the security incidents related to ICT assets which are not included in the national cybersecurity perimeter within a 72-hour deadline. The above deadline runs from the time when the subject becomes aware of a security incident. The notification must be made through appropriate communication channels and in the manner established by the Computer Security Incident Response Team (Italian CSIRT), which is available at https://www.csirt.gov.it.
The Resolution consists of only four articles that refer to an Annex (Annex A, identifying the incident categories, their description, and the identification code necessary for the notification). In addition, Section 2 of Annex A lists the events that entities in scope to the national cybersecurity perimeter might to notify in the same manner as provided in Article 1, paragraph 3-bis, of the Perimeter Decree.
Pursuant to the Resolution, an incident is defined as: "any event of an accidental or intentional nature that results in the malfunctioning, interruption, even partial, or improper use of networks, information systems or computer services".
The categories indicated by the Resolution are briefly described below, but please consult the official text for more information and details:
- Initial access (Initial exploitation)
- Execution (Execution)
- Installation (Establish persistence)
- Lateral Movement
- Actions on objectives
- Reconnaissance (Reconnaissance) referring to spearphishing activities
The Resolution enters into force on January 25, 2023, so there is not much time left for directly or indirectly impacted operators to update internal processes to address the reporting requirements.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.